Risk and compliance professionals in financial companies ‘lack confidence in security data’

Senior risk and compliance professionals within financial services companies lack confidence in the security data they are providing to regulators, according to the “2020 GRC Peer Report” from Panaseer, a continuous controls monitoring platform for enterprise security.

Results from a global external survey of more than 200 governance, risk and compliance (GRC) leaders reveal concerns on data accuracy, request overload, resource-heavy processes and lack of end-to-end automation.

Panaseer said the results indicate a wider issue with cyber risk management: if GRC leaders don’t have confidence in the accuracy and timeliness of security data provided to regulators, then the same holds true for the confidence in their own ability to understand and combat cyber risks.

Less than half (41 percent) of risk leaders feel “very confident” that they can fulfil the security-related requests of a regulator in a timely manner. Just over a quarter (27.5 percent) are “very satisfied” that their organisation’s security reports align to regulatory compliance needs.

GRC leaders cited their top challenges in fulfilling regulator requests as getting access to accurate data (35 percent); the number of report requests (29 percent); and the length of time it takes to get information from security teams (26 percent).

Panaseer said the issue has been perpetuated by the limitations of traditional GRC tools, which rely on qualitative questionnaires to provide evidence of compliance.

Some 92 percent of senior risk and compliance professionals believe it would be valuable to have quantitative security controls assurance reporting (vs qualitative) and 93.5 percent believe it’s important to automate security risk and compliance reporting.

However, only 11 percent state that their risk and compliance reporting is currently automated from end to end.

Some 96 percent said it is important to prioritise security risk remediation based on its impact to the business, but most cannot isolate risk to critical business processes composed of people, applications, or devices. Only a third (33.5 percent) of respondents are “very confident” in their ability to understand all the asset inventories.

Charaka Goonatilake, CTO of Panaseer, said: “Faced with increasing requests from regulators, GRC leaders have resorted to throwing a lot of people at time-sensitive requests.

“These manual processes combined with lack of GRC tool scalability necessitates data sampling, which means they cannot have complete visibility or full confidence in the data they are providing.

“The challenge is being exacerbated by new risks introduced by internet of things sensors and endpoints, which rarely consider security a core requirement and therefore introduce greater risk and increase the importance of controls and mitigations to address them.”

Andreas Wuchner, a Panaseer advisory board member, added: “To face the new reality of cyberthreats and regulatory pressures requires many organisations to fundamentally rethink traditional tools and defences.

“GRC leaders can enhance their confidence to accurately and quickly meet stakeholder needs by implementing continuous controls monitoring, an emerging category of security and risk, which has been recognised in the 2020 Gartner Hype Cycle for Risk Management.”